Ms. Compy Fix-It is taking a break from fixing the eccentricities of my computer today, to share her/my thoughts on a well-established practice that she/I believe needs re-assessment. That practice is….. the “3 tries and you’re locked out” approach to logins.
In this day of Life Itself being carried out largely online, the average user needs (or at least uses) approximately 8 passwords (see here, page 5). That means that sometimes we may forget which one was being used for which site….. a fairly common occurrence I’m sure. To reduce frustration of your customers, I’d strongly suggest that if you must have this security check in place, allow the user to try at least 8 times to get their password right. Keep in mind, too, that if your site allows for user names to be repeated, someone may be attempting to access another’s account by accident, and suspend its use.
Just a little tidbit for web developers out there to consider when creating password-based logins.